Reputation: 6622
Lock a specific version of a third party package in Go
Using modules, when I try to lock down a specific version of a package using the following command:
go mod edit -require "google.golang.org/[email protected]"
It shows this under the require section in the go.mod file:
google.golang.org/protobuf v1.10.0
And then when I run:
go mod vendor
It is always pulling down the latest version which is currently v1.24.0. Under the require section in the go.mod file it shows:
google.golang.org/protobuf v1.24.0
Is there a way to lock a specific version no matter what?
I am currently using go version 1.14.3.
Thanks!
Upvotes: 3
Views: 5790
Answers (2)
Reputation: 365
One way to fix this problem is do go build once you have made specific changes to go mod file. This will ensure you have go.sum file built into your codebase. This is nothing but checksum of your fetched package. By doing this, all the future pull will match the checksum of go.sum file
Upvotes: 0
Reputation: 223
It seems that it is possible to tell go mod to only get the versions specified without bumping the version.
go -mod=readonly mod vendor
Can be found at: https://github.com/thepudds/go-module-knobs/blob/master/README.md
Upvotes: 2
Related Questions
- Always require the latest version of a dependency in go.mod
- How to prevent go get from updating go.mod file
- How can I force to use specific package version while running go mod download?
- How to prevent from `go build` to update the latest version of modules
- Control Go package version
- modules: how to force version of dependent lib
- Go modules: How do you lock in a specific version that won't get overridden with `go get -u`?
- Force a specific version for a dependency when using dep
- Prevent package import for 3rd parties
- What is the most effective way to lock down external dependency "versions" in Golang?